Completed EIGRP (S2N)

Finished the EIGRP section.

EIGRP Stub routers are interesting, there are options for the stub router to only advertise certain type of routes. If the stub router has redistributed routes and you want them to be advertised to other EIGRP neighbors, you can certainly do so. There are options for Connected, Summary, Static, Redistributed, and Receive-only.

Look over here!!! =======>

I'm trying out something. If you work for a company that gives you an incentive to help bring in new talent for open positions why not market that position to the masses? It'll help earn your incentive while at the same time help a person find a rewarding career opportunity. If interested look over to the column on the right... a little higher... right there! Jobs!

Send in job opportunities to me Andrew@netengineer.org and I'll post them up with contact info for you so that others can contact you if they're interested. In the email write a brief description and location and any other details you may want to disclose about the job or just have them contact you directly.

99.9% Done with EIGRP (S2N) (notes)

Some things to remember about EIGRP:

- K values - representing the 5 metrics EIGRP uses to determine the best route to a subnet, K1 and K3 are "on" be default. K1 is bandwidth and K3 is delay.

- EIGRP summary does to by default advertise component routes. It only advertises the summary route. In order to get component routes to be advertised, use a LEAK MAP, which is essentially a route-map. If, in the summary statement, a leak map is referenced but does not exist then only summary is advertised (like the default). If the route-map exists, but the ACL that the route-map references does NOT exist, then the Summary + all the components are advertised.

- Under the EIGRP Process you can advertise EIGRP routes with greater then X number of hops as unreachable. metric maximum-hops X

- Change the administrative distance for EIGRP routes both Internal and External EIGRP routes. distance eigrp N1 N2 where N1 is the distance for Internal EIGRP routes and N2 is for External

- Under the interfaces that are participating in EIGRP, you can restrict the bandwidth used for EIGRP updates. ip bandwidth-percent eigrp proc # #% where #% is the percentage of the bandwidth

I've got one more lab in this section to complete and it has to do with EIGRP stub.

Completed RIP (S2N)!

So after completing Lab 14 this week, I decided to get a head start on S2N before my class starts in November. I found it relatively easy minus Lab 7 Advanced RIP, learned some thing new today!

RIP and EIGRP validate the source IP of the updates that come in and you can turn this off. Weird/Cool.

Completed Lab 14. (notes)

Completed lab 14, all in all it wasn't that difficult. I found it much easier then the previous lab and it was much more straight forward.

One thing that got me was using Local-AS in BGP. You need to be careful when changing AS numbers to ensure that you don't use a local AS that's somewhere else. The task, I'm not sure if it was on purpose, said to use an AS number in 2 different places. When I got to the AS that I had management of, I wasn't able to see the BGP advertised routes because the AS Path had it's own AS as part of the path. BGP won't learn routes if it thinks the routes are from itself, probably a way to prevent looping.

It got me because I didn't look at the AS path carefully enough and sure enough it was there. Local AS has a way to avoid this by removing the local-as from the path when advertising out.

Manipulating OSPF cost to load balance. (notes)

So as a side task, I took it upon myself to see if I could load balance over a FE and a Frame Relay link to a specific destination. I had 2 routers (R2 and R6) interconnected via their FastE 0/0 interfaces (vlan 26) then R2 has a Frame Relay link to R5 and R6 has aFE link to R5. Vlan 26 is redistributed into OSPF, it's originally in EIGRP, so it comes in as an E1 route after designating it as so.

Undoubtedly, R5 takes the FE link through R6 to get to vlan 26 since the cost is much less (21, 20+1) than a Frame Relay serial link (84, 20+64). I went ahead and changed to the ospf cost of the FE link to 64 and sure enough both next-hops show up in the routing table.

So I keep playing around with this, I changed the metric type to Type 2 to see what happens. And I then go ahead and confirm that I see the route in the routing table, I changed the FE's OSPF cost to 64 again and sure enough it's load balancing again but this time the cost is 20 for both routes.

As a review E2 routes (the default when redistributing) only reflects the cost of the route from the ASBR to the destination (in this case the destination is off a FE interface, hence, 20). The E1 routes reflect the cost of the entire path, hence the 20 + 64. Since a serial link has a default OSPF cost of 64, I needed to make the cost of the FE link the same (ip ospf cost 64) to get load balancing to work.

So moving further along this train of thought, if I can't modify cost, I can probably modify bandwidth to accomplish the same thing.

I guess the point is to come up with all sorts of scenarios in your head and stray from the straight and narrow of doing a lab/task and you'll learn something interesting.

*ref L5.

BGP Maximum Paths (notes)

Setting the Maximum Paths allows for load balancing for networks that have more then 1 path. Allowing more then 1 path enables the bgp route to be reachable from more then 1 hop.

another little tid bit to add to my knowledge base.

BGP Local AS (notes)

BGP Local AS, something simple that I wasn't aware of.

Let's you appear as any AS you want to appear as to your neighbor. Thinking about it, it's a pretty useful feature.

I asked the instructor on a task for a practice lab whether or not the AS number was a typo, he said no it wasn't and to use a tool to get the BB router to peer with your router even if your router's AS is not the AS the BB thinks you are.

Just adding this tid-bit to my knowledgebase.

Socked in the face... by Lab 11.

Wow, did I screw up Lab 11... to the point where even the most basic things broke. At some point having created port channels to aggregate bandwidth ended up killing 3 of my 4 links... err-disabled. Which broke OSPF and a number of other things. Lay MST on top of that to the Layer 3 switches and I couldn't even ping the Backbone routers.

... and this is a few hours into it. At some point you have to say, is this worth troubleshooting or is it just easier to blow it away and start over. (of course there's no guarantee that you won't make the same unknown mistakes and end up with the same issues).

Not a good day.

Scheduled Narbik's Class!

I'm all set for Narbik's class in November. I'm pretty sure that this will be my last class, 2 is enough, no?

3 sessions left with Terry, we're knee deep into advanced Mock labs and it's getting kind of crazy. A good kind of crazy if your masochistic. 

I figure I'll concentrate on the weekly labs as their getting more difficult which takes a bit longer to complete and ultimately leaves me less time to do other Tech focused labs during the week.

Lab 6 reviewed... Multicast, epic fail.

It's official, I suck at multicast. I reviewed the final configs of Lab 6 with a classmate and I'm behind the ball when it comes to Multicast. 

On a different note, I stopped IEWB1, I feel like I've gotten a good amount from it and it's time I review the fundamentals.... again. I'm doing the Soup to Nuts book. I'm starting over with Frame Relay, then on to RIPv2, EIGRP, OSPF... etc etc.

0.49 done with Security - breaking for Lab 6.

So I'm a little less then half way done with Security but I need to break for 2 reasons, 1 the IOS I'm using on dynamips doesn't support "ip inspect" and 2 I need to finish up Lab 6.

I should be done with Lab 6 and ready spend the rest of the week completing as much of Security as I can before moving on to the next workbook.

An interesting development while doing Lab 6, I configured IPv6 on a multipoint Frame network configure in Hub and Spoke and for the life of me I couldn't figure out why I couldn't ping spoke to spoke. I configured the link-local IPv6 address, mapped them to the right DLCIs, configured the IPv6 Global addresses, enabled IPv6 on the interfaces etc etc. I was able to ping from hub to spoke but not spoke to spoke. I decided to give up. I moved on the OSPFv3 and there it was... IPv6 unicast routing wasn't enabled on the hub. Duh.

Done with IP services IEWB1, on to Security

So a quick recap on IP Serviceses, mostly NAT.

You can do a lot of neat things with NAT. Stateful NAT failover, Port Address Redirection, Load Balancing, and more. I think this section is one to go over again as it takes some thought and logic to implement some of these things.

I'm on to Security and then I think that's it (that's with skipping multicast). I'll probably have to run through the entire workbook once more but it shouldn't take me too long. It's usually easier the second time around.

well... on to security.

IEWB1 IP Services p3 (notes)

Almost done with IEWB1 IP Services... just... 1... more... section.

In the meantime, another cool feature with NAT...

Destination NAT for Load Balancing

Lets say you have 2 Telnet "servers" and your ISP only gives you 1 unique routable IP address. You can use NAT to balance the incoming Telnet load, like so:

!

ip nat pool SERVERS prefix-length 24 type rotary

 address 10.0.0.1 10.0.0.1

 address 10.0.0.6 10.0.0.6

!

ip access-list extended INBOUND_TELNET

 permit tcp any host 150.1.4.4 eq 23

!

ip nat inside destination list INBOUND_TELNET pool SERVERS

!

So the pool SERVERS designates the inside resources, in this case the Telnet "servers", 10.0.0.1 and .6. The INBOUND_TELNET acl specifies the local outside IP (and port) to be translated to the inside resources, the inside destinations. In turn, the first connection will connect to .1, the next .6 and back and forth due to the "rotary" type.

I did something similar to this with my PIX506e to reach both my PC and my Console Server with 1 unique global IP (although it's not the same since it's not load balanced).

IEWB1 IP Services P2 (notes)

I'm working through the NAT portion of the IP Services section and it's taken me some time to set up the common configs in dynamips since the first 2 times I attempted to set up the common topology, the IOS crapped out on me.  I finally got the right IOS that supports NAT and doesn't crash.

An interesting way of doing NAT that I didn't know of:

NAT redundancy with Route-maps

Let say you have 2 router connected in 2 ways, a point to point serial link and a frame relay interface. Assume the internal network is 10.0.0.0/24 and the external network is a 150.1.x.x/16 subnet.  The objective is to translate the source IP address using the current active outside interface. You have 1 inside interface, the FastE, and 2 outside interface, Serial for point to point, and Serial2 for the Frame connection.

On the NAT router:

interface FastE 0/0

 ip nat inside

!

int Serial 0/1

 ip nat outside

!

int serial 1/0

 ip nat outside

!

route-map FR_INT

 match interface serial 0/1

 match ip address INSIDE_NET

!

route-map PT2PT_INT

 match interface serial 1/0

 match ip address INSIDE_NET

!

ip nat inside source route-map FR_INT interface serial 0/1 overload

ip nat inside source route-map PT2PT_INT interface serial 1/0 overload

!

So the dual match statement is a boolean OR function matching either the outgoing interface OR the internal addresses. These are the local inside source address and they get PAT-ed to the outgoing interface.

Policy NAT with Route-Maps

So lets say you want to send only certain traffic across the FR link and other traffic across the point to point link, very similar to Policy Based Routing. Well you do this with Policy NAT!

Let's say you have a router with 2 WAN Internet links and you want to send only outbound FTP traffic across the FR link and all other traffic across the Pt2Pt link.

Using the same topology as the previous example.

!

interface FastE 0/0

 ip nat inside

!

int Serial 0/1

 ip nat outside

!

int serial 1/0

 ip nat outside

!

ip access-list extended FTP

 permit tcp 10.0.0.0 0.0.0.255 any eq ftp

!

ip access-list extended ALL_OTHER

 deny tcp 10.0.0.0 0.0.0.255 any eq ftp

 permit ip any any

!

route-map FTP permit 20

 match ip address FTP

 set interface serial 0/1

!

route-map ALL_OTHER permit 20

 match ip add ALL_OTHER

 set interface serial 1/0

!

ip nat inside source route-map FTP interface serial 0/1 overload

ip nat inside source route-map ALL_OTHER interface serial 1/0 overload

!

Now on the NAT router run "debug ip nat detailed" and excute and ftp session from the inside and then execute a ping from the inside. You should see that traffic matches the 2 route maps and execute the respective outside interfaces.

Pretty interesting stuff.

Stupid Optimum Online.... Argghhh!

Well, I lost connectivity to my gear and a traceroute shows that I can reach my home's ISP but not my devices. I get as far as a node on Optimum Online's network but it dies there. This has been happening on and off for the last 2 weeks. That pretty much means I can't lab up anything until connectivity is restored.

IEWB1 IP Services (notes p1)

I'm working through IP Services and so far Proxy ARP, securing VTY Access, DHCP, auto-install FR, and Router Menus have worked out well. However, NTP and NTP auth, have not, I think there may be something wrong with the configs. I'm close to half way done with this section.

Some cool things:

1. Router Menus
This allows you to present a menu to the user accessing the router. It's cool in the sense that you could probably use this to restrict commands and may be even let low level techs login and assess the health of a network.

Configs to follow -


username CISCO privilege 15 password 0 CISCO
username CISCO autocommand menu USERMENU <= this ties the menu to the user

!
menu USERMENU title ^C
Sample Menu
^C
menu USERMENU text 1 "Current Configuration"
menu USERMENU command 1 show run
menu USERMENU text 2 "Ping R1"
menu USERMENU command 2 ping 155.1.146.1
menu USERMENU text 3 "telnet to R6"
menu USERMENU command 3 telnet 155.1.146.6
menu USERMENU text 4 "exit to shell"
menu USERMENU command 4 menu-exit
menu USERMENU text 5 "Exit"
menu USERMENU command 5 exit
!
line vty 0 4
login local

2. Securing VTY Access (SSH)
Restrict VTY access to use SSH, a bit more secure then telnet.

ip domain-name ccie.com
crypto key generate rsa (general modulus 512) <= I didn't have to execute the stuff in ()
!
line vty 0 4
login local
transport input ssh
!
username ccie pass cisco

3. VTY access using Rotary

Anyone telnet-ing from 150.1.123.0 subnet to port 23 will gain access as will any one from 150.1.0.0 to port 4001.

This is interesting as it allows you "normal" telnet access from inside your network but can further secure your router when telnet-ing from the outside to port 4001. Seeing that you would need to know not only the IP but you HAVE to know the port as well.

line vty 0 4
rotary 1
!
access-list 100 permit tcp 150.1.123.0 0.0.0.255 any eq 23
access-list 100 permit tcp 150.1.0.0 0.0.0.255 any eq 4001
access-list 100 deny ip any any log
!
line vty 0 4
login local
access-class 100 in
!
username ccie pass ccie

Terry's Class Lab 5 and Lab 6.

Since it's a long holiday weekend, class was pushed back until the following week. However, that doesn't mean that there's no work to be done.

I completed Lab 5 which I believe is the current assignment due for next week and I'm taking a stab at Lab 6.

Here's my recap on Lab's 1 through 5. They're basic labs that should take no more then 4 hours each, they're meant to test you on the fundamental configurations of IGP, BGP and some IP services. Lab 5 intro's IPv6 and IPv6 routing and some MST/MSTP. Overall, they're not too difficult and doing a 2nd pass cuts my initial time by about half.

I think moving forward from here, Labs 6 through 10 are going to be tough for me. They not only will most likely get progressively difficult but they'll be testing me on subjects that I'm not familiar with, the more advanced topics like Multicast, IOS security, IP services, etc. Things that I'm going to have to lookup via google or doc cd.

On a side note regarding IEWB1, I'm still working through IP Services.